CARLO GAVAZZI UWP30RSEXXXSE User manual

Brand: CARLO GAVAZZI

Model: UWP30RSEXXXSE

Type: User manual

This manual is also suitable for

UWP30RSEXXX

CARLO GAVAZZI

Automation Components

Cybersecurity Guideline

Cybersecurity in Energy Monitoring and Building

Automation applications

07/04/2021

2

Carlo Gavazzi Controls S.p.A.

Cybersecurity

Cybersecurity in Energy Monitoring and Building

Automation applications

Abstract

This document will help system integrators,

installers and end-users of Energy Monitoring

and Building Automation applications to protect

their installation by highlighting some core areas

in the cybersecurity process and helping them

to do the right choices for designing, setting-

up or operating a secure and reliable system. It

includes an introduction to security topics in data

automation and control systems, and points out

the responsibility of involved parties, focusing on

the most critical parts inside the target installation.

Introduction

Nowadays, cybersecurity in industrial, commercial

and residential installations is a source of concern:

cyber-threats and attacks increase day by day, and

a drastic rise of IT security incidents is reported

by the Governmental institutions like ICS-Cert

(Industrial Control Systems Cyber Emergency

Response Team, www.us-cert.gov/ics) or BSI

(Bundesamt für Sicherheit in der Informationstechnik,

www.bsi.bund.de/DE/Home/home_node.html).

Why cybersecurity is so important? Because a lack in

cybersecurity could lend to a loss in one or more of

the following assets:

• the availability of system functionalities

• the condentiality of data, and protection of

intellectual property

• the integrity of the application function and

components in use

• the authenticity of controllers and their data.

Cybersecurity is a process, not a product: security

improvements need to be continuously maintained

and updated. For these reasons, it is not possible

to achieve 100% security. Even when designed with

state-of-the-art security measures, a system may

still be vulnerable to connections to the networks of

suppliers, contractors, and partners.

Dierent Installations, common needs

There are a multitude of use cases in the building automation and energy monitoring realms; nonetheless, many

of them share the same architectures and the same actors. For these reasons it is possible to address a common

strategy to get rid of the most critical cybersecurity issues and start the process in the right way.

3

Carlo Gavazzi Controls S.p.A.

The actors

The common actors are:

Actor Description

Potential issues in the cybersecu-

rity process

System-integrator, system de-

signer

Who is in charge of designing the

system according to the project

specication

Insucient cybersecurity

awareness lends to wrong design

choices

Installer

Who is in charge of commission-

ing the system according to the

designer’s instructions

Insucient cybersecurity

awareness lends to wrong

deployment

End-User

Who is in charge of operating the

system in the daily usage

Insucient cybersecurity

awareness lends to wrong

operation

Owner

Who is in charge of setting the

budget limits, cybersecurity targets

and functional specication for the

project

Insucient cybersecurity

awareness lends to overestimate/

underestimate the necessary

countermeasures

Manufacturer

Who is the manufacturer of a hard-

ware and/or software component

of the system

Insucient cybersecurity

awareness lends to an unsecure

component

Basically, it is clear that cybersecurity awareness is the main target of any actor at dierent levels to avoid

missing the target. For the manufacturer it means developing products according to opportune guidelines

and for the end-user to operate the system according to the right best practices (i.e. avoiding to use unse-

cure passwords). On the other side, this is the proof that an ad-hoc mix of cybersecurity training and guide-

lines is the rst point to be addressed, at any level, to implement a secure system.

4

Carlo Gavazzi Controls S.p.A.

The architecture

As stated above, most of the systems in the building automation and energy monitoring application can be

layered according to a common set of parts, which corresponds to the IoT paradigm.

Level Description

Field

The operational technology level, close to the application level; it

includes meters, sensors, actuators and the relevant eldbuses.

Edge

The borderline between eld and cloud; it is where gateways and

controllers are located.

Fog

An intermediate level which could mix part of the edge and cloud

functions so to provide a better scalability.

Cloud

The Internet level, where the immense resources of distributed servers

allow full interoperability and maximum data elaboration.

Each layer interacts with the other ones, so a cybersecurity threat impacting onto one layer could possibly

scale and impacting the other ones. Never forget that any system is as secure as its weakest part, when

cybersecurity is concerned.

5

Carlo Gavazzi Controls S.p.A.

Protection levels

Even if cybersecurity is a global concern, there is not a universally recognized standard. However, threat rec-

ognition and countermeasures are usually shared by dierent standards. The worldwide-accepted IEC 62443

standard denes ve dierent levels of security. It is important to follow an established guideline to organize

threats according to the connected risk; the division proposed by the IEC-62443 standard is based on security

levels:

Security level Description

0 (SLO) No protection required

1 (SL1)

Prevent the unauthorized disclosure of information via eavesdropping or casual exposure.

Example: wrong set-up.

2 (SL2)

Prevent the unauthorized disclosure of information to an entity actively searching for it

using simple means with low resources, generic skills and low motivation.

Example: no security measures, hacker.

3 (SL3)

Prevent the unauthorized disclosure of information to an entity actively searching for

it using sophisticated means with moderate resources, application specic skills and

moderate motivation.

Example: moderate security measures, high level hacker

4 (SL4)

Prevent the unauthorized disclosure of information to an entity actively searching for it

using sophisticated means with extended resources, application specic skills and high

motivation.

Examples: Specic development, knowledge of the application, or corruption of insiders.

Eliminating 100% of cybersecurity risks involves a potentially unlimited budget, due to the impact of the

needed countermeasures onto all assets and people. The purpose of any decision maker should be setting

the right budget for assuring a security level in line with the needs of the target system and organization.

The system integrator could then design the system according to the functional needs and the acceptable risk,

by choosing the right components and using the right guidelines.

The operational functions of system can be damaged or interrupted in dierent ways. Security measures fo-

cus on intentional threats such as sabotage, vandalism or spying nonetheless unintentional issues caused by

wrong hardware, software, commissioning or service could harm the assets, and must be taken into considera-

tion while designing the system.

A pragmatic approach

Some of the best practices are listed here, with the purpose of setting up a line of defence for the target sys-

tem.

Task Description

Dene the sys-

tem constraints

and the critical

assets

Dene the acceptable and unacceptable risks when it comes to the cybersecurity of the

system.

Train the people

Assure that all the people involved in the project receive the training level corresponding

to their tasks, and to the relevant risks.

Dene a target

and a budget

Dene a clear cybersecurity target and allocate the budget accordingly. Each project is

the result of a compromise between expected goals and budget constraints nonetheless

it is mandatory to know if there are known weaknesses, so to possibly solve them at the

next budget review.

6

Carlo Gavazzi Controls S.p.A.

Task Description

Involve external

competent

resources when it

is necessary

Cybersecurity is an evolving matter, where intentional harming is possible. Updated

expertise is mandatory to face risks

Choose the best

components,

according to your

goals and budget

For designing the system, use the components that can demonstrate the requested

security level thanks to an accredited third party certication or rating.

Dene the

necessary

procedures

A system is made of products and procedures: if an ultra-secure controller is used and

the user doesn’t tell the password to anybody, there is no way to protect the system.

Cybersecurity is responsibility of any of the parties involved in the system lifetime.

The above guideline is valid for any party involved in the project, from the system integrator who designs the

system, to the manufacturer who develops the software and hardware components.

A real world example: securing the EDGE

The EDGE level is possibly the most critical: being at the same time in contact with the operational technology

(OT) part in the eld and the information technology part (IT) in the cloud, it is the most sensitive brick in the

IoT paradigm. A strong EDGE level is for sure a robust foundation on which to base the whole architecture.

EDGE cybersecurity: the system integrator

The system integrator has the task to build up the system providing the necessary functional requirements ac-

cording to the expected level of cybersecurity. He needs to choose the right components and set the necessary

procedures to get the goal.

There are three important best practices:

Best practice Description

Training

Continuous training with competent trainers is the key to keep the pace with evolving

cybersecurity threats

Dene a protect-

ed environment

Place the EDGE part in a protected environment, in which both physical and logical

access is regulated. This means:

• installing EDGE controllers into locked cabinets

• dening a trusted network, so to restrict communication to authorized systems/users

• use encrypted communication whenever possible

Choose best in

class compo-

nents

Choose software and hardware components from solid companies with an established

reputation, and assuring their cybersecurity level by means of ocial ratings provided by

accredited third parties

Test the system

A testing procedure to warranty the achieved cybersecurity level is a necessary part of

the commissioning

7

Carlo Gavazzi Controls S.p.A.

EDGE cybersecurity: the manufacturer

The manufacturer has the task of developing software and hardware components with the necessary level of

cybersecurity according to the demand of the target applications, and to document the achieved level.

There are three important best practices:

Best practice Description

Training

Continuous training with competent trainers is the key to keep the pace with evolving

cybersecurity threats

Development

techniques

Adopting development practices which put cybersecurity at the top rank of the expected

goals is the key point to warranty future proof products

Testing Testing products with respect to cybersecurity

Assessment Checking the cybersecurity level with the help of an experienced and trustable third party

Marking Submit the product for an ocial third party marking from an accredit laboratory

EDGE cybersecurity: the end-user

The end-user is in charge of using the system delivered by the system integrator. He/she has some responsi-

bilities, too.

Here are the most important best practices:

Best practice Description

Training

Continuous training with competent trainers is the key to keep the pace with evolving

cybersecurity threats

Rules

Always follow the rules dened in the company policies as far as cybersecurity is

concerned

Condentiality

Preserve condential data like user proles and passwords, as they are the key access

points to the system; follow GDPR rules

Update

Always keep updated the system: a secure software installed onto an unsecure PC,

generates an unsecure system

Marking Submit the product for an ocial third party marking from an accredited laboratory

8

Carlo Gavazzi Controls S.p.A.

Implementing a secure architecture with UWP 3.0, the Carlo Gavazzi EDGE solution

In this section we will nd out how to develop a secure architecture as far as the EDGE layer in an Energy

Management / Building Automation installation. The EDGE unit is UWP 3.0. The following architecture is

based on the 3-tier model described above, with eldbus, edge and fog/cloud layers.

Vulnerability topologies

Both single assets and systems can be compromised by cybersecurity issues at dierent levels. For further

information, refer to the “Architecture (threats by zone)”.

Legend

Icon Meaning

End user/operator System integrator

See “Responsibility by role”

Software and device supplier. See “Responsibility by role”

Area of potential cybersecurity risks

9

Carlo Gavazzi Controls S.p.A.

Architecture (threats by zone)

UWP 3.0 Tool

Web App

Car Park Server

UWP 3.0

Building automaon

Energy Car park

AUTOMATION SERVER

MONITORING + CONTROL

°C °Clx kWhkWh kWhm m

WEB-SERVER

Gateway

Smart Dupline

DALI

Modbus RTU

Modbus TCP/IP

LAN

WAN

BACnet

Modbus TCP/IP

FTP

API

MQTT

SMTP

Smart Dupline

LAN

WAN

LAN

WAN

Fieldbus Interface

CONFIGURATION

10

Carlo Gavazzi Controls S.p.A.

Pillars of the cybersecurity deployment

Best practice Description

Training to all the involved people

Training necessary to users about adopting the necessary security

procedures (Project owner)

Dening a protected environment

Setting the target system borders according to the functional needs and

the expected security level (Project owner, system integrator)

Selecting the right components

Selecting components fullling the expected cybersecurity level (System

integrator)

Dening responsibilities

Allocating cybersecurity responsibilities according to the stakeholder’s

scope (Project owner)

Technical documentation

Providing the system’s documentation for both the system and the single

components (System integrator, manufacturer)

Testing

Periodically assessing the system in terms of its cybersecurity strength

(Project owner, system integrator)

System integrator’s best practices

• ASSESSMENT: always do a risk analysis at the beginning of the project to check the cycbersecurity risks,

their impact, and the necessary level of security

• NETWORK SEGMENTATION: whenever possible, always divide the target networks in physical or logical

segments for which it is possible to set the necessary rules for lter the access to the target services

• ACCESS CONTROL: dene and implement the access authorization according to the target customer

policies; dene password change policies

• FIREWALL: protect the inbound access to any service with a rewall, whose rules must be set according to

company policies

• VPN: use a Virtual Private Network with encrypted tunnel to provide access to remote users

• UPDATE: always update the system’s software/rmware components to the patch level which warranties the

fullment of the company cybersecurity policies

• REMOVABLE STORAGE: avoid using removable storage (USB sticks) as they are often cyberthreats carriers

• ENDPOINT HARDENING: the whole system is only as secure as its weakest part; having VPN, Firewall and

robust protocols is useless if the user’s PC is not protected/updated

11

Carlo Gavazzi Controls S.p.A.

Dening a protected environment with UWP 3.0

Placing the gateway/controller in a protected environment is mandatory to avoid undesired access to the con-

troller or its application.

A protected environment is achievable thanks to the following measures:

• Physical locking. Locked cabinets with no chances of directly accessing the protected units.

• Managed LAN. The intranet network has well-dened user rights and no direct access from outside.

• VPN access. Internet access protected by a rewall and VPN tunnelling.

Moreover, the following additional practices are needed:

• INDEPENDENCY. Keep the trusted network as small as possible and independent from other networks.

• FIELDBUS PROTECTION. Protect the cross-communication of controllers and the communication among

controllers and eld devices via standard communication protocols (eldbus systems) by appropriate

measures. Very often, they are not protected by additional measures, such as encryption. An open physical

or data access to eldbus systems and their components is a serious security risk.

• LOCKING. Lock such networks and strictly separate them from commonly used access.

12

Carlo Gavazzi Controls S.p.A.

Architecture

Oﬃce segment

UWP 3.0 Tool

pp

W

eb A

pp

Network segmentaon

Physical

locking

Web App

UWP 3.0

Automaon segment

UWP 3.0

Fieldbus Fieldbus

Firewall

VPN tunnel

Network

locking

VPN tunnel

UWP 3.0 Tool

13

Carlo Gavazzi Controls S.p.A.

Available security measures with UWP 3.0

As far as the cybersecurity of the UWP 3.0 ecosystem, our target as Carlo Gavazzi is to provide countermeas-

ures to assist users and system integrators for protecting their system availability, integrity, and condentiality.

The UWP 3.0 architecture includes two main parts:

• the UWP 3.0 Tool software, aimed at setting-up and maintaining an UWP 3.0 based system

• the UWP 3.0 device, which includes the gateway/controller’s hardware itself and its runtime.

Both parts operate together when setting up a system.

The following sections describe measures and features that are or will be available in the latest generation of

UWP 3.0. In order to protect the application and the controller, the use of the latest version of the UWP 3.0

Software and Firmware is required. It can be downloaded for free at the Carlo Gavazzi Website. The tables

below provide an overview on the measures, their zones within UWP 3.0, and for whom they are intended.

Each measure is explained.

UWP 3.0 Tool (Software IDE)

Measure Relevant for System

Integrators

Relevant for End-Users Valid against

Protected access to

UWP 3.0 via UWP 3.0

Tool IDE

Yes Occasional/unintentional

threats and attacks

“Encryption and signa-

ture of the conguration

code”

Yes Intentional attacks

“Alerting for rmware/

software update avail-

ability”

Yes

Occasional/unintentional

threats and attacks

“Online IDE update” Yes

Occasional/unintentional

threats and attacks

Protected access to UWP 3.0 via UWP 3.0 Tool IDE

Measure for System Integrators

Access to the UWP 3.0 system via UWP 3.0 Tool can be restricted to specic user proles.

User rights over specic building automation functions can be proled according to two separate levels.

Encryption and signature of the conguration code

Measure for System Integrators and End Users

The conguration set-up by using the UWP 3.0 Tool IDE, is signed and encrypted to preserve authenticity and

contents.

Both UWP 3.0 Runtime and UWP 3.0 Tool check for available updates onto the Carlo Gavazzi servers.

If any update is available, an alert is highlighted:

• Within the UWP 3.0 Tool interface

• Within the UWP 3.0 Web-App interface

14

Carlo Gavazzi Controls S.p.A.

By checking the alert’s contents, both system integrators and end-user can check which security xes are

available in the updating package.

Note: it is responsibility of system integrator and end-user to decide how and when to deploy the software/

rmware upgrade according to the relevant company policies.

Alerting for rmware/software update availability

Measure for System Integrators and End Users

Both UWP 3.0 Runtime and UWP 3.0 Tool check for available updates onto the Carlo Gavazzi servers.

If any update is available, an alert is highlighted:

• Within the UWP 3.0 Tool interface

• Within the UWP 3.0 Web-App interface

By checking the alert’s contents, both system integrators and end-user can check which security xes are

available in the updating package.

Online IDE update

Measure for system Integrators

By leveraging the online update system of the UWP 3.0 Tool, the system integrator can easily upgrade both

the IDE and the Runtime to the latest release.

Note: it is responsibility of the system integrator to check that the relevant application operation works as ex-

pected after the update task.

15

Carlo Gavazzi Controls S.p.A.

UWP 3.0 (Runtime)

Measure

Relevant for System Inte-

grators

Relevant for End-Users Valid against

“User administration” Yes Yes

Occasional/unintentional

threats and attacks

Embedded API restricted

access

Yes

Occasional threats and

attacks

“Minimalistic approach

(less is more)”

Yes Yes

Occasional/unintentional

threats and attacks

“Encryption and signa-

ture of the conguration

code”

Yes Intentional attacks

“Robust implementation

of eldbus communica-

tion”

Yes

Occasional/unintentional

threats and attacks

“Protected Runtime up-

date”

Yes Yes Intentional attacks

Granular user administra-

tion

Yes Yes

Occasional/unintentional

threats and attacks

Alerting for rmware/soft-

ware update availability

Yes Yes

Occasional/unintentional

threats and attacks

VPN Access Yes Yes Intentional attacks

Disaster recovery Yes

Occasional/unintentional

threats and attacks

Signed and encrypted

backup le

Yes Intentional attacks

User administration

Measure for System Integrators and End-Users

User access to the embedded web servers via the Web-App and the Car Park web access is possible only

via authentication. Only passwords fullling security requirements are accepted. The embedded web-server

accepts HTTPS connections for maximum security.

The embedded web-server is pen-tested periodically with updated tools to eventually implement the necessary

patches against new vulnerabilities.

Embedded API restricted access

Measure for System Integrators

Access to embedded APIs (Rest-API and SOAP API) is possible only on authentication basis. After authentica-

tion a time-limited token is released to allow remote systems to interact with UWP 3.0.

16

Carlo Gavazzi Controls S.p.A.

Minimalistic approach (less is more)

Measure for System Integrators and End-Users

The UWP 3.0 rmware is based on Linux O.S. Carlo Gavazzi implemented its own distribution due to 2 rea-

sons:

• Having full control over the whole system, so to implement more secure interfaces

• Having a minimalistic approach and implementing only the sub-systems and services needed by UWP 3.0

applications.

That’s a way to avoid vulnerabilities that could leverage unecessary subsystems/services to attack UWP 3.0.

Encrypted communication

Measure for System Integrators

All the embedded communication functions based on MQTT dialects are encrypted, and the relevant security

is based on the updated policies of the target MQTT broker.

Both SFTP and FTPS encrypted protocols are available to implement secure communication based on FTP.

Note: it is responsibility of the system integrator to choose the most secure protocol among the available ones.

UWP 3.0 includes also FTP for supporting legacy systems with no encryption available, but its use should be

discouraged to prevent man-in-the-middle attacks.

Robust implementation of eldbus communication

Measure for System Integrators

UWP 3.0 supports many dierent eldbuses, including MODBUS/RTU, MODBUS/TCP, Dupline®, BACnet/

IP, LoRa®. As Carlo Gavazzi we fully commit to provide cyber-secure systems. Nonetheless, system design

choices have a big impact over the application’s security. For example, using MODBUS/TCP over internet via

an unprotected channel (no VPN) greatly increases cybersecurity risks, due to the open-nature of MODBUS

itself.

By leveraging the online update system of the UWP 3.0 Tool, the system integrator can easily upgrade both

the IDE and the Runtime to the latest release.

Note: it is responsibility of the system integrator to check that the relevant application operation works as ex-

pected after the update task.

Protected Runtime update

Measure for System Integrators and end-users

UWP 3.0 runtime is updated via the UWP 3.0 Tool IDE, so to guarantee better control over intentional/uninten-

tional misconguration and rmware upgrades; it can be password-protected.

Granular user administration

Measure for System Integrators and End Users

A set of rules to control the access to dierent areas of the web-app to specic user proles will allow strict

control over user operation.

17

Carlo Gavazzi Controls S.p.A.

Alerting for rmware/software update availability

Measure for System Integrators and End Users

Both UWP 3.0 Runtime and UWP 3.0 Tool check for available updates onto the Carlo Gavazzi servers.

If any update is available, an alert is highlighted:

• Within the UWP 3.0 Tool interface

• Within the UWP 3.0 Web-App interface

By checking the alert’s contents, both system integrators and end-user can check which security xes are

available in the updating package.

VPN Access

Measure for System Integrators and End Users

A VPN infrastructure is provided by Carlo Gavazzi to UWP 3.0 users, so to allow easy access to remote ap-

plications, via an authenticated, encrypted channel for either operation or set-up purposes.

Disaster recovery

Measure for System Integrators

A disaster recovery procedure to backup and restore completely a working UWP 3.0 system is available within

the UWP 3.0 Tool.

Note: it is responsibility of the system integrator to set-up the backup procedure according to the company

policies and to restore the system according to the installation needs.

Signed and encrypted backup le

Measure for System Integrators

Backup les are signed and encrypted to prevent any attempt of injecting malicious code by an attacker.

18

Carlo Gavazzi Controls S.p.A.

UWP 3.0 Tool and Web App: Password Management

UWP 3.0 TOOL

From the 8.3.5 version onwards, for cybersecurity reasons we added a new management of the

communication between the UWP 3.0 Tool and controller so to guarantee the security of the information

transmitted by the Tool to the controller and vice versa. In fact, these information are password-protected.

Note: the communication protection is total and mandatory.

First connection to the updated controller

After the controller upgrade to the new version, at your login you see a password input screen.

For the rst login, use the default password “admin” that you have then to replace with a stronger one.

Strong passwords should be at least 8 characters long and contain at least:

• one lower case character

• one upper case character

• one number

• one symbol (!, ?, @, …)

Example: “Admin123!”

Once you have sent the new password to the controller, you will lose the connection with the controller and

you will need to log in again with the new password.

Note: after every disconnection you will need to enter your password.

Changing your password

From the Program Setup panel, click Password enter your current password and the new (stronger)

password.

Important note: if you lose your password, please contact Carlo Gavazzi.

Connecting to the controller versions earlier than 8.3.5

The connection between the UWP 3.0 Tool version 8.3.5 to the controller versions 8.3.3 - 8.3.5 is always

possible. In that case, the Tool will connect to the controller using an unsecure connection and you will be

able to update the controller.

Note: the connection has a timeout of 5 seconds that permits Tool to reach the controller in case of slow or

congested network.

19

Carlo Gavazzi Controls S.p.A.

Compatibility with the old password

In the versions earlier than 8.3.4, the password protection was facultative and custom with the possibility of

protecting the controller against some operations.

From the version 8.3.5 onwards, this operation is cancelled and completely replaced with the new password

management.

When you update the controller to the 8.3.5 version, for the rst connection to that controller you have to use

the default password “admin”.

UWP 3.0 WEB APP

The password management in the UWP 3.0 Web App is the same except for the compatibility with the

previously set password. In fact, in the Web App, if the old password is strong enough, it will be preserved.

Otherwise, for your rst login you will have to replace it with a stronger one.

20

Carlo Gavazzi Controls S.p.A.

UWP 3.0 SE is ocially rated for Cybersecurity

IoT Security Capabilities Veried by the UL laboratories of Frankfurt, to Level Silver for UWP 3.0 SE

(SE= Security Enhancement).

The silver rating certies the enhanced security capabilities of UWP 3.0 SE regarding:

• Access control.

• Industry Privacy Best Practices.

• Product Security Maintenance.

• UWP 3.0 has been awarded with SILVER level IoT marking by the UL laboratories of Frankfurt.

Please nd here the relevant notes: https://ims.ul.com/iot-security-rating-levels

Please nd here the relevant certicate: https://verify.ul.com/verications/487

Page is loading ...

Page is loading ...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

CARLO GAVAZZI UWP30RSEXXXSE User manual

Brand: CARLO GAVAZZI

Model: UWP30RSEXXXSE

Type: User manual

This manual is also suitable for

UWP30RSEXXX

Related papers

Other documents